CVE-2026-8689 describes a missing authorization vulnerability (CWE-862) in the Visualizer: Tables and Charts Manager for WordPress plugin. The flaw exists in the renderChartPages() and uploadData() functions, which are invoked by AJAX actions without verifying user capabilities. Specifically, wp_ajax_visualizer-create-chart and wp_ajax_visualizer-edit-chart call renderChartPages() without current_user_can() checks, and wp_ajax_visualizer-upload-data calls uploadData() with a nonce validation that lacks an action argument, making it easily bypassed. This allows authenticated users with low privileges (Subscriber and above) to create arbitrary chart posts and access or modify chart data of other users, including administrators. The CVSS 3.1 base score is 4.3 (medium severity) reflecting low attack complexity but limited impact on confidentiality and no impact on availability or system integrity beyond the plugin data.

Authenticated users with Subscriber-level privileges or higher can exploit this vulnerability to create or modify chart posts and data belonging to other users, including administrators. This can lead to unauthorized modification of plugin data, potentially affecting the integrity of charts and reports generated by the plugin. There is no direct impact on system availability or broader confidentiality beyond the plugin's data. No known exploits are reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are currently available. Until a patch is released, restrict plugin usage to trusted users only and consider disabling or limiting access to the Visualizer plugin for lower-privileged users. Monitor vendor communications for updates and apply official patches promptly once available.